In its first enforcement actions, the Consumer Financial Protection Bureau (CFPB) caught the financial industry’s attention with restitution awards and refunds for consumers totaling $425 million and civil penalties exceeding $46 million. The CFPB also signaled its intention to ensure that financial institutions supervise their vendors, the products they sell and the services they provide. In addition, although the three enforcement actions involved credit card companies, the CFPB has warned that future enforcement actions will not be limited to credit card add-on products. Indeed, the director of the CFPB, Richard Cordray, recently acknowledged that “fixing the mortgage markets remains an urgent priority.” With final rules relating to mortgage products due by January 2013, the mortgage industry may be next.

Traditionally, financial institutions used third-party service providers because they lowered costs, reduced the risks of exposure on consumer claims and provided expertise that organizations could not be efficiently replicate in-house. The Dodd-Frank Act, however, significantly altered the pros and cons of that calculus. It requires supervised banks and nonbanks to oversee the actions of their service providers. The act also includes a very broad definition of “service provider,” which encompasses “any person that provides a material service to a covered person in connection with the offering or provision by such covered person of a consumer financial product or service.”

With high fines and headlines, the CFPB alerted all companies of its intention to closely monitor marketing practices and to hold covered institutions responsible for the actions of their third-party vendors. Indeed, the CFPB put the mortgage industry on notice that financial institutions must oversee their third-party vendors as early as October 2011, when the agency issued examination procedures for mortgage servicing. More recently the CFPB issued two proposed rules that would require mortgage servicers to oversee the actions of their vendors. These proposed rules under Regulation Z in the Truth and Lending Act and Regulation X of the Real Estate Settlement Procedures Act would require greater third-party oversight, incorporating aspects from the National Mortgage Settlement, pursuant to which the CFPB and other government agencies required the five largest servicers to supervise and independently audit their third-party vendors.

Fortunately, financial institutions can minimize their risk of becoming the target of a CFPB enforcement action based on a vendor’s activities by taking a few simple steps to increase their internal and external compliance programs.

Establish written procedures and minimum criteria for selecting service providers

In appropriate circumstances, create record keeping guidelines for service providers, with particular attention to foreclosure-related documents

Periodically review third-party service providers and have an independent audit conducted on your own business records to ensure compliance with the written guidelines

Establish a method of monitoring complaints about third-party vendors and require that vendors address any deficiencies in service related to those complaints

While those procedures may reduce liability for a vendor’s actions, financial institutions must also consider whether the vendor markets any potentially abusive products. Dodd-Frank and the CFPB provide less guidance in this respect. The act focuses on minimizing abusive “acts and practices,” rather than on limiting or eliminating the sale of individual products. Not surprisingly, therefore, the CFPB seems to have focused its early attention on marketing practices rather than specific products. Thus, no one knows what, if any, products will gain the dubious distinction of garnering the CFPB’s specific attention. While the CFPB has not provided definitive answers, it has indicated through proposed rules, that it will be monitoring certain products carefully, including force-placed insurance and adjustable rate mortgages. To minimize the risk associated with marketing such products, companies would be well advised to provide consumers with a clear and concise explanation of how the product works before the customer purchases the product. Similarly, businesses should disclose any subsequent changes in the product well in advance of the effective date of the change.

In short, legal compliance no longer provides the safe haven that it once did. As before, mortgage services and products must comply with all legal requirements. However, to comply with the act, lenders and servicers must now consider whether the way in which they market a particular product is fair to the consumer, and they must make same inquiry regardless of whether the financial institution sells the product or provides it through a third-party vendor.